Mit npm v12 schließt GitHub einen zentralen Angriffsweg: Installationsskripte aus Abhängigkeiten laufen ab Juli 2026 nur noch nach ausdrücklicher Freigabe.
npm packt seine riskantesten Sicherheitsprobleme an
Installationsskripte laufen nicht mehr automatisch
Freigaben per Allowlist
Git- und Remote-Abhängigkeiten unter Vorbehalt
Was Entwickler jetzt tun sollten
GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks
GitHub finally pulls the plug on automatic install script execution for npm
GitHub announces npm security changes to tackle supply-chain attacks
Upcoming breaking changes for npm v12 - GitHub Changelog
GitHub pulls pin on npm's auto-run scripts
The Security Risk of 'npm install': Why We Built Our UI with Zero Component Libraries
Microsoft's npm Packages Got Backdoored. Again. And AI Agents Pulled the Trigger.
When Package Managers Can't Help: Defending AI Agent Skills Against Supply Chain Attacks
I Researched the Red Hat npm Incident — Here's What Every Developer Should Know
npm 12 disables install scripts by default, requiring explicit approval to reduce dependency-based code execution risks.
The change, expected in July, will likely block one of the more common attack vectors; developers are wondering what took GitHub…
GitHub has announced that npm v12, expected next month, will introduce several security-focused changes aimed at blocking…
Our next npm major version, v12, introduces security-related default changes to npm install. All these changes are available…
Angreifer können abermals aus der Node.js-Sandbox vm2 ausbrechen und Schadcode im Hostsystem ausführen. Sicherheitsupdates…
GitHub added npm staged publishing with mandatory 2FA approval to reduce software supply chain attack risks.
